SOLVED - openvpn-multiwan-port share tcp 80 not work, pleas help



  • Hi,

    first, i dont find on forum same configuration and same problem, therefore i wrote this topic.

    I have pfsense 2.1.5 x86 with only setup firewall and suricata.

    Have  this configuration:

    3x WAN (1. 10.0.0.4, 2. 11.0.0.4, 3. 10.0.0.4)
    1x LAN (192.168.0.1)

    Want openvpn server runing on localhost and portforward wan trafic to localhost where bind openvpn server.

    I setup nat:
    WAN1 TCP * * WAN1adress 80 127.0.0.1 1190
    WAN2 TCP * * WAN2adress 80 127.0.0.1 1190
    WAN3 TCP * * WAN3adress 80 127.0.0.1 1190

    I setup Openvpn server:
    …..
    protocol: TCP
    device mode: tun
    interface: localhost
    local port: 1190
    .....
    advanced: push "route 192.168.0.0 255.255.255.0";port-share 10.0.0.4 80;

    Problem is, that i want use on wan side TCP port 80 (http). I added to openvpn server advanced config this:

    port-share 10.0.0.4 80

    But i still have this in client log when connect:
    WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart…]

    EDIT: i changed pfsense webconfigurator listen port to 81 and remove port-share 10.0.0.4 80, with no luck…. Before that i alo try port-share 10.0.0.4 443 also with no luck...

    EDIT2: ok, now i disable on wan bogon and private network and disable NAT to localhost. Now i try what is runing on tcp 80 wan port . And there is pfsense webconfigurator. Is trhere any solution how to force run web configurator only on lan interface (binding only to specific interface)?

    EDIT3: i disable webconfigurator redirection option in advanced menu and switch to https but also with no luck

    EDIT4: got it work, disable webconfigurator redirection, set webconfigurator to use HTTPS, openvpn server bint to localhost on tcp 1194 (default openvpn port), creata NAT rules for all wan "WAN1 TCP * * WAN1adress 80(http) 127.0.0.1 1194(openvpn)", on wan interfaces add allow rule "IPv4 TCP * * WAN1adress 80(http) * * *". Restart and ok...